Rootkit prevention?

Here you can discuss ReactOS related topics.

Moderator: Moderator Team

rick_g22
Posts: 5
Joined: Tue Apr 04, 2006 7:18 pm

Rootkit prevention?

Post by rick_g22 »

Guys, I read on slashdot that Microsoft said there's no solution for rootkits except wiping off the computer and reinstalling. http://it.slashdot.org/article.pl?sid=06/04/04/1426238

What measures has reactOS implemented (or will implement) to prevent rootkits? I mean, things like sandboxes / better limited account management?

Thanks!

P.S. Good to see the auditing is 60% done! :)

Ged
Developer
Posts: 925
Joined: Thu Sep 29, 2005 3:00 pm
Location: UK

Post by Ged »

rootkit prevention is damn near impossible if someone has admin privlidges.

The best but most worrying prevention methods are that which MS are planning for x64 on Vista. That being all drivers must be signed by MS.
Obviously not an option for open source machines.

drwook
Posts: 15
Joined: Thu Mar 30, 2006 12:05 pm

Post by drwook »

Nah, MS could rootkit you so that's not the best option.

Now, if you build everything from source that you're actually read yourself then you're safe ;)

Other than that it's down to trust. I'd trust the open source community to notice a rootkitted bit of source code and get it sorted more than Gates & his 'opening a WMF graphic can allow arbitrary code execution with privilege level of user opening it' coupled with 'first user is always an administrator' as a policy during OS installation.

rick_g22
Posts: 5
Joined: Tue Apr 04, 2006 7:18 pm

Post by rick_g22 »

Yes, but what happens if uncle Joe uses my machine to browse the web and "accidentally" downloads a rootkit because he opened an infected e-mail or something? Is my machine screwed up?

My point is, I'd really like reactOS to have a truly manageable limited account (winXP limited accounts suck) or implement some sandboxing by default...

Any thoughts on this?

drwook
Posts: 15
Joined: Thu Mar 30, 2006 12:05 pm

Post by drwook »

ReactOS in qemu on ReactOS, using an overlay? & let 'em have admin rights? ;)

Ged
Developer
Posts: 925
Joined: Thu Sep 29, 2005 3:00 pm
Location: UK

Post by Ged »

drwook wrote:Nah, MS could rootkit you so that's not the best option.

Now, if you build everything from source that you're actually read yourself then you're safe ;)
What? I think you missunderstood me.
The proposal for x64 Vista is that all kernel mode software must be signed before it will load. Thus, opensource drivers will be a thing of the past.

Plus, why would building from source stop a rootkit? Rootkits are installed after a system is up and running. I fail to see how building from source helps to prevent rootkits in any way.

Ged
Developer
Posts: 925
Joined: Thu Sep 29, 2005 3:00 pm
Location: UK

Post by Ged »

rick_g22 wrote: My point is, I'd really like reactOS to have a truly manageable limited account (winXP limited accounts suck) or implement some sandboxing by default...

Any thoughts on this?
As I said, without restricting access to insalling kernel mode software, you can't prevent someone from installing a rootkit. You can't restrict access to kernel mode without providing some sort of digital signature for all software. If you did stop software from loading in kernel mode, the compuer would be useless.

drwook
Posts: 15
Joined: Thu Mar 30, 2006 12:05 pm

Post by drwook »

Ged wrote:
drwook wrote:Nah, MS could rootkit you so that's not the best option.

Now, if you build everything from source that you're actually read yourself then you're safe ;)
What? I think you missunderstood me.
The proposal for x64 Vista is that all kernel mode software must be signed before it will load. Thus, opensource drivers will be a thing of the past.

Plus, why would building from source stop a rootkit? Rootkits are installed after a system is up and running. I fail to see how building from source helps to prevent rootkits in any way.
Crossed wires I guess. I was including the OS in the 'everything', and using the logic that many eyes close many bugs about security vulnerabilities :)

& open source drivers might well be a thing of the past for MS Windows, but as Darth Vader said to Admiral Ozzel "The power to destroy a single proprietary OS is insiginificant compared to the power of the source". We'll still have Linux. And *BSD. And hopefully a more and more useful ReactOS.

Something like that anyway... Maybe I need more sleep!

ThePhysicist
Developer
Posts: 508
Joined: Mon Apr 25, 2005 12:46 pm

Post by ThePhysicist »

I don't think it is impossible to stop rootkits.
1. Never do your normal work as Administrator. Users should be able to burn cds, etc.
2. Make Software restriction profiles, by default "untrusted". This software is not alowed to do anything like driver installation or anything other harful to your computer or privacy. Only if you specifically allow this software to do something, it will do it.
-> It's Up to the user to decide if strippoker.exe may install a driver or not or if hotbabesaccess.exe may use my ISDN adapter or ...
3. Don't allow hooking functions like NTCreateProcess or something like that without a big warning!

The problem today is not different users who might do harm to the system, like all OSes are designed for. In most cases (at least desktp windows machines) the user is the admin. The problem is the software that does things, that the user doesn't know. So let the user know and ask him and give him the possibility to decide for himself if he wants to trust software or not.

There will always be users who don't care but then it's their fault, not the OSes. And there's always the risk to download a modified driver for your graphicscard that contains a rootkit, but that is normally not the way rootkits are installed.

I trust Firefox, Thunderbird, FileZilla, Zinf and MirandaIM and allow them to use internet, no other application is allowed to call home. And I prefer clicking severtimes of "allow" when installing a driver to having suspicious software installing rootkits or autostart stuff or calling/dialing home.

About signed drivers/trusted computing stuff: I suppose the rootkit driver, Sonys audio cds automatically installed was signed by MS. I prefer to decide for myself, whom I want to trust, not MS and not Sony!

Ged
Developer
Posts: 925
Joined: Thu Sep 29, 2005 3:00 pm
Location: UK

Post by Ged »

ThePhysicist, so if I 0-day your machine, drop a shell with local privs and install a rootkit, how would your 1-3 stop that?

The fact is, as long as you allow privlidged users to install things like drivers, there is no way to stop it. You can make it difficult with good security measures, but you can't stop it.

This is the reason MS are going to such controversial lengths.

StringCheesian
Posts: 31
Joined: Mon Mar 28, 2005 11:37 pm

Post by StringCheesian »

No one is saying it could prevent that.

Currently you can choose between running as a limited user and having many of your apps not work. Permission denied error messages getting in your way all the time. Or you can choose to run as admin and worry about which apps are abusing admin privileges.

Both choices suck.

Can't it work like this?
1. User has CD autorun enabled. Inserts a music CD with anti-piracy measures including a crippled replacement for the CD burner driver.
2. User gets a popup:
Execution of this application has been paused because it is attempting to do something not permitted at its privilege level: install a driver for device: CD burner.

Click OK to elevate the app's privilege level. WARNING: This is NOT RECOMMENDED.
Click Cancel to block this attempt. (whatever function the application called will return a permission denied error code)

[check-box] don't ask again for this application (CD autorun)
And like a Firefox plugin install popup, Cancel is focused by default and OK is unclickable for a 5 second countdown.
Last edited by StringCheesian on Wed Apr 05, 2006 12:45 am, edited 1 time in total.

ThePhysicist
Developer
Posts: 508
Joined: Mon Apr 25, 2005 12:46 pm

Post by ThePhysicist »

Ged wrote:ThePhysicist, so if I 0-day your machine, ...
Sorry, I'm from Germany, could you explain "0-day your machine"? Do you mean "hack"? Good luck, you will have to hack a (pretty good configired) DrayTek router and after it a Linux SA and then you will need a security hole to get around my desktop firewall.
...drop a shell with local privs and install a rootkit, how would your 1-3 stop that?
The answer is: A normal user wouldn't do that! (At least I guess so) I wouldn't probalby do that!
As I pointed out in most cases it's not the wrong user that installs the rootkit it's the wrong software executed by the normal (admin) user.
Of course I can also break into your house, boot a linux cd on your computer and install whatever I like on your hdd, but this is not the normal case.
And if someone is hacking my computer from outside, than we are not talking about rootkits, but other security holes. And if someone at my home is doing something bad to my computer, then ... then I will probably know where he lives :twisted:
The fact is, as long as you allow privlidged users to install things like drivers, there is no way to stop it. You can make it difficult with good security measures, but you can't stop it.
Of course you can't stop it. But you can inform/ask the user about it. And that's already the half rent. (OK, that's probably a very stupid translation from German ;-))
If Windows would always aks, if program xy is allowed to install a driver or hook a kernel function or put an entry into autostart, there were lots less problems with malware.
There are a lot of tools, that help you to secure your Windows / find Spyware/rootkits. If Windows was as secure as possible, these programs wouldn't need to be there. They would be a part of Windows.

Let us think you are rich and have a employee that manages all your financial things. You take a room in a hotel for 1 day and after you leave you tell him to pay the bill. You will probably want to be asked if it is ok that you have to pay 13.745 € for pay-per-vieW, or not? If you don't care it's your fault, but if he just pays without asking, I would say it's his fault!

Nmn
Posts: 170
Joined: Wed Dec 07, 2005 10:20 pm
Location: In front of my pc maybe?

Post by Nmn »

Its partially up to admins to teach the users if its an option. But most of all, Warning and confirming stuff would work. Ex: Lets just say somebody downloads a virus. This virus is modifying/creating/deleting a file in your windows directory or an installed programs directory. We could implement a linux like system, where you have a password prompt, or simple confirm dialogs.

The confirm dialogs would have to freeze either the process that is needing permission or all non critical processes while it shows up. an End Process button would be included on such dialog.

Of course, all of these dialogs could get annoying, but installers for signed drivers.. if someone ever makes a(cracks the code for a) verifier.. it could be ok. Since the user can decide what folders are programs, even programs with unusual installers could work. Now, further more, we could have certain verified checksum-filesize combinations to be approved, with an update utility of some sort. This is more work for developers, but it would be totally worth it - closer to a virus free operating system. Developers that have time could help, or i could. Im pretty good with blowing up my computer and fixing it...

Is this too overwhelming? Am i being an @$$hole? Just suggestions. Mine end up being to complex.

Ged
Developer
Posts: 925
Joined: Thu Sep 29, 2005 3:00 pm
Location: UK

Post by Ged »

ThePhysicist wrote: Sorry, I'm from Germany, could you explain "0-day your machine"? Do you mean "hack"? Good luck, you will have to hack a (pretty good configired) DrayTek router and after it a Linux SA and then you will need a security hole to get around my desktop firewall.
lol, ok then.
Desktops firewalls and everything ....
...drop a shell with local privs and install a rootkit, how would your 1-3 stop that?
The answer is: A normal user wouldn't do that! (At least I guess so) I wouldn't probalby do that!
As I pointed out in most cases it's not the wrong user that installs the rootkit it's the wrong software executed by the normal (admin) user.
eh? I think your slightly misguided here.
Rootkits are generally installed on compromised machines to regain access at will.

I'm too lazy to quote and reply to the rest.

steveh
Posts: 271
Joined: Sat Dec 18, 2004 10:02 pm

An idea for malware prevention, at least for opensource ...

Post by steveh »

Suppose this mecanism, to be optionally activatetable:

Normally users receive a warning with "confirm prog. start Y/N" when running a new EXE not yet registered in the registry. You can confirm Y or deny N. Confirm also registers the program.

Exception:
If the new program is opensource and, according to a certain "standard" to be proposed by ROS development, the executable contains at a internal code location the FTP url of it's source, and if some key validation between a key in the executable, and another key on that FTP site, is successful, then the program is validated to be "goodware"-opensource and the warning does not appear...

I suppose malware programmers would NOT try to comply to that mecanism because the nasty code published as source would be recognzed as malware by C experts very quickly, wouldn't it?

:)

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 2 guests